Module 4

MODULE 4

Vulnerability Assessment

What is Vulnerability?
In computer security, a vulnerability is defined a weakness which can be exploited by a threat
actor, such as an attacker, to perform unauthorized actions within a computer system. To
exploit a vulnerability, an attacker must have at least one tool or technique that can connect to
a system weakness. In reference to this, vulnerability is also known as the attack surface.
What is Vulnerability Assessment?
Vulnerability assessment refers to the process of identifying risks and vulnerabilities in
computer networks, systems, applications, hardware, and other parts of the IT system.
This process may involve automated and manual techniques with varying degrees of precision
and an emphasis on an all-inclusive coverage. Using a risk-based approach, vulnerability
assessments may target different layers of technology, the most common being host, network,
and application-layer assessments.
Vulnerability assessments provide information to security teams and other stakeholders that
they need to analyze and prioritize risks for potential remediation in the proper circumstances.
Vulnerability testing helps organizations recognize vulnerabilities in their software and
supporting infrastructure before an offense can take place. But, what exactly is a software
vulnerability?
A vulnerability can be defined in two ways:

1. A bug in code or a flaw in software design that can be exploited to cause harm.
Exploitation may occur via an authenticated or unauthenticated attacker.

2. A weakness in internal controls or a gap in security procedures that results in a security
breach when exploited.

ELEMENTS OF VULNERABILITY ASSESSMENT
1. Asset Identification

You can't protect what you don't know about. An inventory of the assets must be
made to determine what could be at risk. The five types of assets to inventory are as
follows:

• data - all the information the company has in all the forms it is stored
• hardware - this is refers to IT hardware. Other hardware assets go

under physical assets
• personnel - this category is broadly defined to include employees, customers,

partners, vendors, and any other people who come in contact with the company
• physical assets - including what an accountant might call capital assets: buildings,

cars, trucks, furniture, etc.
• software - any software the company owns or uses

2. Threat Evaluation
The function of the Threat Evaluation component is to compare the threat of the
known target candidates (tracks) in order to determine which targets shall be
engaged first.

3. Threat Modeling

Threat modeling is a procedure for optimizing network security by identifying
objectives and vulnerabilities, and then defining countermeasures to prevent, or
mitigate the effects of, threats to the system. In this context, a threat is a potential
or actual adverse event that may be malicious (such as a denial-of-service attack) or
incidental (such as the failure of a storage device), and that can compromise the
assets of an enterprise.

The key to threat modeling is to determine where the most effort should be put in
to keep a system secure. This changes as new factors develop and become known,
applications are added, removed, or upgraded, and user requirements evolve.

4. Vulnerability Appraisal

This step identifies the state of the organization and the vulnerabilities that a threat
agent might exploit. Experienced appraisers will be able to identify things they have
seen before and may notice related vulnerabilities.

5. Risk Assessment

The aim of this step is to determine the aftermath of each possible loss, attack, or
exploit.

ASSESSMENT TOOLS

The first section is about vulnerability scanning tools, which obviously focus on IT
vulnerabilities.

1. Port Scanners

The Port scanning introduces the concept of using port addresses to identify processes,
services, and applications that are running on a device. A server may have only one IP
address, but it may be using several port addresses to keep track of sessions with
multiple clients.

There are three classic divisions of port addresses:

• well known - addresses 0 through 1023 are typically assigned to commonly used
protocols that might be used by system or root processes.

• registered - addresses 1024 through 49151 are used by any application or
service, and typically can be reallocated by users and programmers

• private - addresses 49152 through 65535 are also called dynamic addresses
which are allowed to be used by any application.

Just because a port is assigned does not mean that it is in use or needed in a given
environment. Ports that are not needed can be blocked by administrators. An attacker
might use a port scanner to determine the state of a port on a given machine. Likewise,
organizations may scan for open ports to identify those that need to be closed to
enhance security.

• open - a service is available and listening on this port for requests; attempts to
connect can be made

• closed - no service is listening on this port; attempts to connect will be rejected
with a reply

• blocked - no replies are sent, no connections are made, no information is given
2. Network Mappers

This is software that can be used to map what devices are connected to a network at
any given time. A text output is really more of a list, and a graphic output shows logical
connections through infrastructure devices. Note that this information is typically
gathered through ICMP packets, the same mechanism that is used to perform a ping.

This sort of information is useful to network staff as well as to attackers, since both
benefit from knowing the layout of a network.

3. Protocol Analyzers

A protocol analyzer, as noted in the text, can be a program or a standalone device. It
may also be called a packet sniffer, or just a sniffer. Its purpose is to examine packets on
the network, even those not meant for the device being used. Normally, NICs ignore

packets that are not sent to their MAC address (or to a broadcast address), but a
protocol analyzer puts a NIC in promiscuous mode, which means that it accepts all
packets passing by, allowing the operator to gather them in a capture file for
examination.

AN attacker might run a protocol analyzer to capture copies of files from reconstructed
streams, read emails, read unencrypted passwords or view web pages

Note also that the use of a protocol analyzer on a network without authorization is
generally forbidden in most environments. Doing this at your place of employment
without authorization could place your employment in jeopardy, and may have more
serious consequences.

4. Vulnerability Scanners

These are devices that would be of use to look for the vulnerabilities that have not yet
been identified on a network. It might include a port scanner and a network mapper.
An example of this kind of software that is recommended is Nessus, which is free for
individual use outside company environments.

MITIGATING AND DETERRING ATTACKS

There are many attacks which can affect the computer performance of the user. But many of
them are now known and there are some methods too which can be used to make sure those
attacks do not affect the system that seriously. Hence, one should know about those preventive
measures and should try their best to purge those attacks threats ,resulting in some better
computer security.

Monitoring system logs

If someone can monitor the logs, they will know what the usual happenings are. If something
unique happens somehow and they would be able to take some preventive measures for that.
Logs monitoring is very important since it can help someone monitor the logs for the sensitive
data too. Thus, one can know if there has been a breach within the data itself.

Event logs: event logs are generated through event monitoring. When an event occurs such as
a software running some program, or data analysis has taken place, then the logs are
generated. Event monitoring is the process by which collection, analysis and some other events
that occur, like the processes done by the OS, are kept track of.

Audit logs: Audit log is basically the historic account of all the events which have happened to
the computer and they are related to some certain object. Normally, people just keep the logs

of the rich target that are managed by some promising server. However, there are some
problems that occur, which are related to the audit log monitoring. For instance, it is difficult to
maintain such logs. One can maintain that log at the target but the management agent talks
with the server and hence it can also keep the log as well.

Security logs: the security log is used for keeping track of what is happening in the system. All
those events related to the security and the information is saved and is checked later. It should
be easy and readable as well.

Hardening

When a person is aware that there are problems occurring and the systems need to be guarded
well, they would start putting up restrictions as a precaution. It is a helpful since it can ensure
that the data is not being stolen frequently and hence can help protect the precious data on the
files. Here are some of the ways through which one can harden the security settings, and no
one can get access into the computer' files.

Disabling unnecessary services: As previously mentioned, there can be many applications too
which can become the source of the attacks. An important step is making sure that the services
which are not necessary are disabled first. If unnecessary applications are running, one would
have to monitor their activities as well. This would take up too much valuable time and
attention can be diverted to the unnecessary services. Shutting them down through task
manager or any other way can help one get hold of the system.

Protecting management interfaces and applications: One must be able to protect the
interfaces and the applications. The disabling of the applications is very important since can be
the weak point if there is some developing error residing within them which could be exploited
by attackers. The interface services can also be disabled. There are some global services which
can be unnecessary and pretty insecure. If one feels that these services are not secure, they can
be disabled also be disabled on the router's interface. There are some basic cautions to take
such as there are the loopback interfaces and some null interfaces which the physical interfaces
are and their location on the router. So, while disabling, they should be disabled as well since it
is better to be the safe than sorry at the end of the day. Any of the interface which is insecure,
is basically the one which isn't connected to the internet network that one has. They are the
ones which are actually connected to some public network like the internet is connected to it.
Also, that one can be connected to some private network.

Also, there can be the connection with the private LAN and the remote office.

Password protection: Well, there isn't anything to say too much about this thing, since it is a
common understanding that passwords are the gateway to one's accounts and it is something
that one has to protect. So one should set some strong asked passwords with some characters
in it and if there is any default password, one should simple disable it and set a new one.

Disabling unnecessary accounts: If a person leaves the room and leave their computer
unattended, an attacker may gain access to the computer through some guest account or an
idle account. Hence, it is important it is to manage the accounts as well.

Network security
Following are the ways through which one can ensure network security;
MAC limiting and filtering: There can be access control methods used for disabling the address
which are assigned to some network. These are a great tool since these addresses can be used
for granting access to the described network.
802.1 xs: This standard is used for getting access to the network, so it should be made sure that
this standard is secure so one can stay away from the risk of being exposed to any cyber-attack.
Disabling unused interfaces and unused application service ports: The interfaces which are
unnecessary should be disabled since it is clear that they might harm the computer by bringing
in the cirrus. Also, there are some ports on the routers which can also be cleared and closed up
for secure system.
Rogue machine detection: There can be some rouge machines which can be detected through
many methods and hence one cans are guard his interest through getting away from this.

Security posture
Here are some security postures which one should have to protect themselves:
Initial baseline configuration: The configuration of the baseline should be done initially so that
risks can be minimized.
Continuous security monitoring: Setting up security isn't the only thing, one must measure and
monitor it too to check if it's effective.
Remediation: if there is some problem which occurs, then some steps should be taken like
instating some programs to defend the computer.

Reporting:
Here are the reporting methods which can be used:
Alarms: Alarms can alert someone easily so they should be paid notice to.
Alerts: Alerts shouldn't be ignored since they carry important message.

Trends: Trends should be followed to see which threats are popular and take preventive
measures accordingly.

Detection controls vs. prevention controls

There are not only detection controls there are prevention ones as well that can be used
IDS vs. IPS: The IPS makes a report when there is any intrusion while IDS not only reports but
takes action too. Therefore, the IDS is a better tool.
Camera vs. guard: The cameras are effective since guads can doze off too. However,
strategically placed cameras can catch and record everything.

References

• Threat Modelling using CAPEC- Jerome Athias
https://www.slideshare.net/jeromeathias/threat-modeling-capecwebapplication

• What is a vulnerability assessment? - Red tech Secure
https://www.redsecuretech.com/service/Vulnerability-Assessment

• Introduction to Network Security
https://stevevincent.info/CSS211_2011_6.htm

• How to deter and mitigate an Attack: Types and Techniques- Exam Collection
https://www.examcollection.com/certification-training/security-plus-how-to-deter-and-
mitigate-an-attack-types-and-techniques.html